CVE-2024-13553
SMS Alert Order Notifications – WooCommerce <= 3.7.9 - Unauthenticated Account Takeover/Privilege Escalation
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
SMS Alert Order Notifications – WooCommerce <= 3.7.9 - Unauthenticated Account Takeover/Privilege Escalation
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
Reserved 2025-01-20 | Published 2025-04-01 | Updated 2025-04-01 | Assigner WordfenceCWE-288 Authentication Bypass Using an Alternate Path or Channel
| 2025-03-31: | Disclosed |
Lucio Sá
www.wordfence.com/...-11c5-4219-b4fe-635084cbac3a?source=cve
plugins.trac.wordpress.org/...ms-alert&sfp_email=&sfph_mail=
plugins.trac.wordpress.org/...ms-alert&sfp_email=&sfph_mail=
Support options
